Breaches of personal data: blaming the myth and punishing the victim

An analysis of 25 years' worth of the loss of computerized personal data …

A study that will appear in the Journal of Computer-Mediated Communication later this year analyzes failures to secure computerized personal records. One of its authors, Phil Howard, was kind enough to provide Ars with a draft copy of the paper. The analysis suggests that both the public understanding of these leaks and the legislative response to them are focusing on the wrong targets.

The study used press reports to identify incidents in part because there is no centralized reporting mechanism, and in part because many of the incidents have not resulted in prosecutions. The authors did require independent verification of incidents, and used the lowest figure for the number of records compromised when reports did not agree. Even by these conservative standards, the results were enormous: over 1.9 billion records exposed, or an average of 9 records for every American citizen.

That figure is almost certainly an extreme underestimation. State laws requiring a reporting of personal information loss only came into effect within the past three years. Almost certainly as a result, there were more reported incidents in 2005 and 2006 than all the previous years combined.

The researchers separated the incidents according to a number of criteria, including the cause (hacker, lost hardware, etc.) and the organization that did the losing. Their analysis suggests that we're both misidentifying the cause of the losses, and incorrectly targeting our legislative responses accordingly.

Hackers: the security folk devil

In a recent dissection of the connection between gaming and violence, the term "folk devil" was used to describe something that can be labeled dangerous in order to assign blame in a case where the causes are complex and unclear. The new paper suggests that hackers have become the folk devils of computer security, stating that "even though the campaign against hackers has successfully cast them as the primary culprits to blame for insecurity in cyberspace, it is not clear that constructing this target for blame has improved the security of personal digital records."

Part of this argument is based on the contention that many of the criminal groups that engage in illicit access to records are culturally distinct from the hacker community and that the hacker community proper is composed of a number of subcultures, some of which may access personal data without distributing it.

But, even if a more liberal definition of hacker is allowed, they still account for far less than half of the data losses. The report states that "60 percent of the incidents involve missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online."

Those figures come from analyzing the data while eliminating a single event, the compromise of 1.6 billion records at Axciom. The Axciom data loss is informative, as it reveals how what could be categorized as a hack involves institutional negligence. The records stolen from the company were taken by an employee that had access to Axciom servers in order to upload data. That employee gained download access because Axciom set the same passwords for both types of access.

Legislation: punish the hackers and victims

These figures suggest that there is a substantial institutional component to data losses, a contention the paper supports by noting the fact that medical and military institutions, which have a history of privacy and security concerns, account for a total of 12 percent of the total incidents. In contrast, educational institutions, which have a mission focused on sharing information, account for 30 percent of the total incidents.

Institutions, however, are not the target of much legislation related to privacy breaches. The USA Patriot Act reinforced long-term trends of targeting hackers with severe punishments; some unauthorized hacking offenses now carry more severe penalties than violent crimes. In contrast, those maintaining the databases have only recently been subject to notification laws, and remain largely unpunished for poor security. In fact, the notification laws largely shift the burden of action back to the victims of the crimes; those whose identities have been compromised.

The legislative free ride for the operators of computerized records servers is the exact opposite of the legal approach used in other matters of Internet data availability. In cases of pornography and online gambling, prosecution has focused on those running the servers from which the activity originates. Arguments have been raised that the market will find a solution to security issues, but it's not clear why minimum standards of safety are acceptable in some fields, but not when it comes to digital data.

Ultimately, as the report notes, "As a society, how we assign responsibility will ultimately shape the responses that we collectively devise to manage the use of these electronic personal records." Given that its data suggests that a significant portion of the blame should go to those who hold the data, the report argues forcefully for legislation that requires they meet minimum data safety standards.